From: Artem Boldariev Date: Mon, 30 Oct 2023 17:37:34 +0000 (+0200) Subject: Avoid using sock->iface and sock->peer from the lower transport X-Git-Tag: v9.19.19~10^2~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6725d36cfd390ecf80be6f70033d19857f31b983;p=thirdparty%2Fbind9.git Avoid using sock->iface and sock->peer from the lower transport This commit modifies TLS Stream and DNS-over-HTTPS transports so that they do not use the "sock->iface" and "sock->peer" of the lower level transport directly. That did not cause any problems before, as things worked as expected, but with the introduction of PROXYv2 support we use handles to store the information in both PROXY Stream and UDP Proxy transports. Therefore, in order to propagate the information (like addresses), extracted from PROXYv2 headers, from the lower level transports to the higher-level ones, we need to get that information from the lower-level handles rather than sockets. That means that we should get the peer and interface addresses using the intended APIs ("isc_nmhandle_peeraddr()" and "isc_nmhandle_localaddr()"). --- diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c index e4083e5edb9..19775aefdb8 100644 --- a/lib/isc/netmgr/http.c +++ b/lib/isc/netmgr/http.c @@ -1385,8 +1385,8 @@ transport_connect_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { transp_sock->h2.session = session; http_sock->h2.connect.tlsctx = NULL; /* otherwise we will get some garbage output in DIG */ - http_sock->iface = handle->sock->iface; - http_sock->peer = handle->sock->peer; + http_sock->iface = isc_nmhandle_localaddr(handle); + http_sock->peer = isc_nmhandle_peeraddr(handle); transp_sock->h2.connect.post = http_sock->h2.connect.post; transp_sock->h2.connect.uri = http_sock->h2.connect.uri; @@ -1672,6 +1672,7 @@ server_on_begin_headers_callback(nghttp2_session *ngsession, isc_nm_http_session_t *session = (isc_nm_http_session_t *)user_data; isc_nmsocket_t *socket = NULL; isc__networker_t *worker = NULL; + isc_sockaddr_t local; if (frame->hd.type != NGHTTP2_HEADERS || frame->headers.cat != NGHTTP2_HCAT_REQUEST) @@ -1689,10 +1690,9 @@ server_on_begin_headers_callback(nghttp2_session *ngsession, worker = session->handle->sock->worker; socket = isc_mem_get(worker->mctx, sizeof(isc_nmsocket_t)); - isc__nmsocket_init(socket, worker, isc_nm_httpsocket, - (isc_sockaddr_t *)&session->handle->sock->iface, - NULL); - socket->peer = session->handle->sock->peer; + local = isc_nmhandle_localaddr(session->handle); + isc__nmsocket_init(socket, worker, isc_nm_httpsocket, &local, NULL); + socket->peer = isc_nmhandle_peeraddr(session->handle); socket->h2 = (isc_nmsocket_h2_t){ .psock = socket, .stream_id = frame->hd.stream_id, diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c index 6f4d4f495c3..0fad37737b8 100644 --- a/lib/isc/netmgr/tlsstream.c +++ b/lib/isc/netmgr/tlsstream.c @@ -882,6 +882,7 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { isc_nmsocket_t *tlslistensock = (isc_nmsocket_t *)cbarg; isc_nmsocket_t *tlssock = NULL; isc_tlsctx_t *tlsctx = NULL; + isc_sockaddr_t local; /* If accept() was unsuccessful we can't do anything */ if (result != ISC_R_SUCCESS) { @@ -899,12 +900,13 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { return (ISC_R_CANCELED); } + local = isc_nmhandle_localaddr(handle); /* * We need to create a 'wrapper' tlssocket for this connection. */ tlssock = isc_mem_get(handle->sock->worker->mctx, sizeof(*tlssock)); isc__nmsocket_init(tlssock, handle->sock->worker, isc_nm_tlssocket, - &handle->sock->iface, NULL); + &local, NULL); /* We need to initialize SSL now to reference SSL_CTX properly */ tlsctx = tls_get_listener_tlsctx(tlslistensock, isc_tid()); @@ -922,7 +924,7 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { tlssock->accept_cbarg = tlslistensock->accept_cbarg; isc__nmsocket_attach(handle->sock, &tlssock->listener); isc_nmhandle_attach(handle, &tlssock->outerhandle); - tlssock->peer = handle->sock->peer; + tlssock->peer = isc_nmhandle_peeraddr(handle); tlssock->read_timeout = atomic_load_relaxed(&handle->sock->worker->netmgr->init); @@ -1242,8 +1244,8 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { INSIST(VALID_NMHANDLE(handle)); - tlssock->iface = handle->sock->iface; - tlssock->peer = handle->sock->peer; + tlssock->iface = isc_nmhandle_localaddr(handle); + tlssock->peer = isc_nmhandle_peeraddr(handle); if (isc__nm_closing(worker)) { result = ISC_R_SHUTTINGDOWN; goto error;